Re: [jetty-users] Updating SSL keystore

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Updating SSL keystore

From: Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx>
Date: Wed, 8 Feb 2017 14:28:14 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0

Hi Simone,

I guess you mean details about what I do about the reload?

Well, here it comes but since I embed Jetty this may be of little use toothers. And I took the liberty of taking a hackish shortcut to test ifit would actually work for me...

My Jetty embedding is done in a class called JettyServletContainer thatsets up a Server instance. It exposes some setup methods to addHTTP-ports, HTTPS-ports, directory-contexsts and servlet-contexts inorder to decorate the server before actually starting it.

The method that adds servlet-contexts adds a reference to the wrappingJettyServletContainer instance to the ServletContexHandler attributes.That way Servlet instances can access the wrapper via the ServletContextof a HttpServletRequest.I extended the method that adds HTTPS-ports to collect a list with allthe resulting SslContextFactory instances inside the wrapper. Then Iadded a method reloadSslCertificates that iterates this list and callsreload on each SslContextFactory instance. I provide a dummy consumerthat does nothing. Note that I normally only have one HTTPS port in myapplication so the list will have a size 1.

Then it is simply a case of usingrequest.getServletContext.getAttribute("container").asInstanceOf[JettyServletContainer]or something similar and call the reloadSslCertificates on it somewhere.

I warned you: it is a hack but for now it seems to work. If I am doingsomething wrong or even dangerous please let me know. I may just betempted to leave it as it is for now...


Cheers,

Silvio


On 02/08/2017 11:47 AM, Simone Bordet wrote:

Hi,

On Wed, Feb 8, 2017 at 11:40 AM, Silvio Bierman
<sbierman@xxxxxxxxxxxxxxxxxx> wrote:

Hello all,

I just want to report back about this: it works like a charm for me. We
implement multi-tenancy with client-specific SSL certificates using Jetty
SNI support. The keystore needs to be updated/extended frequently and until
now we had to restart the server to get the new certificates available.
Being able to do this while running is awesome.

Great !

Would be awesome if you can detail your solution.
We are interested at real world use cases, especially for this one
where Jetty provides the basic mechanism, but applications have to
write a bit of code to actually make use of the feature.

Thanks !

Follow-Ups:
- Re: [jetty-users] Updating SSL keystore
  - From: Simone Bordet

References:
- [jetty-users] Updating SSL keystore
  - From: John English
- Re: [jetty-users] Updating SSL keystore
  - From: Simone Bordet
- Re: [jetty-users] Updating SSL keystore
  - From: Silvio Bierman
- Re: [jetty-users] Updating SSL keystore
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] Updating SSL keystore
Next by Date: Re: [jetty-users] Updating SSL keystore
Previous by thread: Re: [jetty-users] Updating SSL keystore
Next by thread: Re: [jetty-users] Updating SSL keystore
Index(es):
- Date
- Thread

Breadcrumbs